Look Up IP Addresses with Custom Detection Prefix

Look Up IP Addresses to detect malicious IP addresses using the ioc:lookup() function with prefix parameter to customize output fields

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result
logscale
ioc:lookup(src_ip, type="ip_address", prefix="detection", confidenceThreshold=low)

Introduction

The ioc:lookup() function can be used to check if IP addresses match entries in Indicators of Compromise (IOC) lists. The function performs lookups against a local copy of CrowdStrike's curated database of IOCs and enriches matching events with detailed threat intelligence using customizable field prefixes.

In this example, the ioc:lookup() function is used to check source IP addresses against IOC lists, with results stored in fields prefixed with detection.

Example incoming data might look like this:

@timestampsrc_ipdst_ipbytes_transferredconnection_status
2025-08-06T10:15:30.000Z192.168.1.10045.33.32.1561544success
2025-08-06T10:15:31.000Z192.168.1.101185.159.83.242048success
2025-08-06T10:15:32.000Z192.168.1.102172.16.0.100856success
2025-08-06T10:15:33.000Z192.168.1.10391.245.73.851028success
2025-08-06T10:15:34.000Z192.168.1.10410.0.0.50922success
2025-08-06T10:15:35.000Z45.32.129.18510.0.0.50922success

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1["Expression"] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    ioc:lookup(src_ip, type="ip_address", prefix="detection", confidenceThreshold=low)

    Performs an IOC lookup on the src_ip field.

    The type parameter is set to ip_address to specify the type of data being looked up. The prefix parameter is set to detection to customize the prefix of added output fields. By default, if no matches are found, no additional fields are added to the event. The function automatically checks both IPv4 and IPv6 addresses.

    The confidenceThreshold parameter is set to low to include matches with low confidence ratings.

    When matches are found, the function adds several fields with the prefix detection containing detailed information about the matched indicator.

  3. Event Result set.

Summary and Results

The query is used to identify potentially malicious source IP addresses by checking them against CrowdStrike's IOC database, including low confidence matches and store the detection information in custom-prefixed fields.

This query is useful, for example, to detect all potential security threats in network traffic, even those with lower confidence ratings, enabling comprehensive threat analysis, identify potential security threats, and enrich events with CrowdStrike's threat intelligence information. Furthermore, the query is useful to integrate IOC detection results with existing security workflows that expect specific field naming conventions.

Sample output from the incoming example data:

@timestamp@timestamp.nanos@timezonebytes_transferredconnection_statusdetection.detecteddetection[0].indicatordetection[0].labelsdetection[0].last_updateddetection[0].malicious_confidencedetection[0].published_datedetection[0].typedst_ipsrc_ip
17544753300000Z1544success<no value><no value><no value><no value><no value><no value><no value>45.33.32.156192.168.1.100
17544753310000Z2048success<no value><no value><no value><no value><no value><no value><no value>185.159.83.24192.168.1.101
17544753320000Z856success<no value><no value><no value><no value><no value><no value><no value>172.16.0.100192.168.1.102
17544753330000Z1028success<no value><no value><no value><no value><no value><no value><no value>91.245.73.85192.168.1.103
17544753340000Z922success<no value><no value><no value><no value><no value><no value><no value>10.0.0.50192.168.1.104
17544753350000Z922successtrue45.32.129.185Actor/FANCYBEAR,IPAddressType/AdversaryControlled,KillChain/ActionOnObjectives,KillChain/C2,MaliciousConfidence/Low,Malware/Meterpreter,Malware/Xtunnel,ThreatType/Criminal,ThreatType/Proxy,ThreatType/Targeted1752747451000low1463063677000ip_address10.0.0.5045.32.129.185

Note that the detection.detected field indicates whether a match was found, and that matched events contain detailed threat intelligence in the detection[0] fields.

Labels provide context about the threat actor, malware types, and threat categories. For more details, see ioc:lookup().